How can I avoid clear text usernames and passwords in settings.xml?

In order to access Nexus Professional from Maven or any other build tools for deployment, you need to supply your username and password credentials. With Maven these credentials are typically stored in .m2/settings.xml in the users home directory. While this provides some security, since only the user and administrators have access to that file, in many environments this is not acceptable as secure enough.

Maven has a solution using encryption and a master password, which is cumbersome to use and only provides limited security. Nexus Professional 2.1+ provides the User Token feature set as a solution that is more secure and works for any build system or client. It works by creating tokens for username and password that do not allow decrypting the real username and passwords out of these values. Therefore your single sign on username and password does not have to be stored anywhere anymore. Instead the replacement tokens used only by Nexus are stored in the settings.xml file or other build system files or scripts. In addition the settings.xml template feature of Nexus supports automatic population of the users token in the settings file when requesting it from the server.